Adding Azure key vault certificate to Azure Batch account via .NET libs

Question

I need to automate the creation of an Azure Batch account. Part of that is adding a certificate to the account from an existing Azure key vault. I think I have all the pieces I need, but I just can't get them all to fit together; I have a KeyVault.Models.CertificateBundle object and a Management.Batch.Models.BatchAccount object, but I'm not sure how to get one into the other.

My code looks like this:

// Create Batch account
var storageAccount = new Models.AutoStorageBaseProperties(storageAccountId);
mgmtClient.BatchAccount.Create(resourceGroupName, accountName,
    new Models.BatchAccountCreateParameters()
    {
        Location = clusterZone,
        AutoStorage = storageAccount
    });

string certName;
Models.CertificateCreateOrUpdateParameters certParams;

// Add certificate
using (KeyVaultClient kvClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetKeyVaultToken)))
{
    var cert = kvClient.GetCertificateAsync(certId).GetAwaiter().GetResult();
    string thumbprint = Convert.ToBase64String(cert.X509Thumbprint);
    string cer = Convert.ToBase64String(cert.Cer);
    certParams = new Models.CertificateCreateOrUpdateParameters(Convert.ToBase64String(cert.Cer), cert.Id, thumbprint: thumbprint, format: Models.CertificateFormat.Cer, type: cert.ContentType);
    certName = $"SHA1-{thumbprint}"; // not sure about this one
}

// failing with a complaint about the cert name
mgmtClient.Certificate.Create(resourceGroupName, accountName, certName, certParams);

The exact error I'm getting with this code is:

'certificateName' does not match expected pattern '^[\\w]+-[\\w]+$'.

certName looks like SHA1-XXXXXXXXXXXXXXXXXXXXXX+XXXX=. There are some non-alphanumeric characters in the thumbprint. I'm just sort of guessing that this is SHA1, but other than that the name looks right to me. I'm not sure what I'm missing.

I'd also happily accept someone's easier solution to this particular issue.

Answer 1

'certificateName' does not match expected pattern '^[\w]+-[\w]+$'.

You could debug the code and check the thumbprint from Azure keyvault. In your code, the thumbprint you get from the code is not the same as certification thumbprint. I got the certification thumbprint with following code.

X509Certificate2 x509 = new X509Certificate2();
x509.Import(cert.Cer);
var thumbprint = x509.Thumbprint;

The following the demo code I used to add the cert to Azure batch account.

var credentials = SdkContext.AzureCredentialsFactory.FromFile(@"cred file path");
var resourceGroup = "resourceGroup";
var accountName = "batchAccountName";
var subscriptionId = "subscriptionName";
var certificateIdentifier = "https://keyvaultName.vault.azure.net/certificates/certName/xxxxx";
var batchManagementClient = new BatchManagementClient(credentials)
        {
            SubscriptionId = subscriptionId
        };
var azureServiceTokenProvider = new AzureServiceTokenProvider();

var keyVaultClient =
            new KeyVaultClient(
                new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var cert = keyVaultClient.GetCertificateAsync(certificateIdentifier).Result;
X509Certificate2 x509 = new X509Certificate2();
x509.Import(cert.Cer);
var thumbprint = x509.Thumbprint;
var certConent = Convert.ToBase64String(cert.Cer);
var certName = $"SHA1-{thumbprint}";
var result= batchManagementClient.Certificate.CreateAsync(resourceGroup, accountName, certName, new CertificateCreateOrUpdateParametersInner
        {
            Thumbprint = thumbprint,
            Data = certConent,
            ThumbprintAlgorithm = "SHA1",
            Format = CertificateFormat.Cer,

        }).Result;

Test Result: